> Portal Navigation:
>
> - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version.
> - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages).
> - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`).
> - Top-level index of all portals: https://dev.wix.com/docs/llms.txt
> - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt
## Resource: About Admin Operations
## Article: About Admin Operations
## Article Link: https://dev.wix.com/docs/go-headless/get-started/about-admin-operations.md
## Article Content:
# About Admin Operations
Admin operations are backend API calls that require elevated permissions to access or modify a headless project's business data.
## When to use admin operations
Use admin operations to perform actions that affect data beyond the current visitor's session. For example, you can:
- Create, approve, or delete site members.
- Add products to your store or update inventory.
- Update order status, issue refunds, or fulfill orders.
- Confirm, cancel, or reschedule bookings.
- Query all orders, members, or bookings across your project.
## Elevation with client credentials (recommended)
The recommended way to perform admin operations for all headless projects is to elevate your API calls using the Wix OAuth flow. You exchange your OAuth app's client ID and client secret for a short-lived access token, then use that token to authorize your admin API calls.
### Generate a client secret
The client secret authenticates your backend code as the app itself, granting it the administrative access needed for admin operations. Unlike the client ID used for visitor and member authentication, the client secret is required only for this elevated flow.
To generate a client secret:
1. In your project dashboard, go to **Settings** > **Development & integrations** > [Headless Settings](https://www.wix.com/my-account/site-selector/?buttonText=Select%20Site&title=Select%20a%20Site&autoSelectOnSingleSite=true&actionUrl=https:%2F%2Fwww.wix.com%2Fdashboard%2F%7B%7BmetaSiteId%7D%7D%2Foauth-apps-settings).
2. Next to the relevant headless client, click the more actions menu to open that client's settings.
3. In the **Client info** section, under **Client secret**, click **Generate Client Secret**.
4. Copy the client secret and store it securely.
__Important:__ You can only view the client secret once, immediately after you generate it. If you lose it, generate a new one. Store your client secret securely and only use it in backend code.
### Get an access token
With your OAuth app's client ID and secret, call the [Create Access Token](https://dev.wix.com/docs/api-reference/app-management/oauth-2/create-access-token.md) endpoint using the `client_credentials` grant type:
- `client_id`: Your OAuth app ID.
- `client_secret`: Your OAuth app secret.
- `grant_type`: `client_credentials`.
For example:
```bash
curl -X POST 'https://www.wixapis.com/oauth2/token' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "client_credentials",
"client_id": "",
"client_secret": ""
}'
```
The response contains a short-lived access token:
```json
{
"access_token": "",
"token_type": "Bearer",
"expires_in": 14400
}
```
Pass the access token in the `Authorization` header of your admin API calls:
```bash
curl -X POST 'https://www.wixapis.com/stores/v3/products' \
-H 'Authorization: ' \
-H 'Content-Type: application/json' \
-d '{ "product": { "name": "My product" } }'
```
### Elevation with `@wix/essentials` (Wix Astro projects)
If your project uses the [Wix Astro Integration](https://dev.wix.com/docs/go-headless/wix-managed-headless/authentication/about-authentication-with-the-astro-integration.md), you don't need to manage credentials or tokens yourself. Authentication and elevation are handled using the [`@wix/essentials`](https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md#methods) package.
To perform an admin operation from your backend code, wrap a restricted SDK method with [`auth.elevate()`](https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md#methods) and call the elevated version. The elevated method runs with the permissions it requires.
__Warning:__ Elevation lets your code call methods it typically can't access. Use it intentionally and only in backend code. Pay special attention when using `elevate()` in backend code that can be triggered from the frontend or exposed as an API to outside callers.
## API key (self-managed projects)
If you're building a [self-managed headless project](https://dev.wix.com/docs/go-headless/self-managed-headless/about-self-managed-headless.md) you can choose to authenticate with an API key. API keys grant a custom set of permissions to your backend code. Unlike OAuth tokens that represent a specific visitor or member, API keys represent administrative access to your project.
To get started with API key authentication:
- [Generate an API key](https://dev.wix.com/docs/api-reference/articles/authentication/api-keys/generate-an-api-key.md)
- [Make API Calls with an API Key](https://dev.wix.com/docs/api-reference/articles/authentication/api-keys/make-api-calls-with-an-api-key.md)
__Important:__ Store your API keys securely and only use them in backend code.
## See also
- [Create Access Token](https://dev.wix.com/docs/api-reference/app-management/oauth-2/create-access-token.md)
- [About API keys](https://dev.wix.com/docs/api-reference/articles/authentication/api-keys/about-api-keys.md)
- [Make API Calls with an API Key](https://dev.wix.com/docs/api-reference/articles/authentication/api-keys/make-api-calls-with-an-api-key.md)
- [`auth` in `@wix/essentials`](https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md#methods)